NetScaler Licensing Dissected

NetScaler With Unlimited ICA Connections

Craig Ellrod from Citrix have posted this great blog post about previously “how to get 1-Year Licenses for NetScaler” and followed up with a post on how to get Licenses for other Citrix Products through the Citrix Ready program. Starting with NetScaler release 9.2, all MPX’s and VPX’s include a platform license for unlimited AGEE access to XenApp and XenDesktop. However, some customers have trouble finding the unlimited access license for the ICA Proxy in their MPX or VPX. Even the SE-issued license doesn’t show the unlimited access for ICA.

Background

The reason this license exists is because the AGEE functionality counts ICA proxy only connections against the CCUs. The traditional Secure-Gateway (on IIS Server) never had a concept of CCUs to count against and the legacy Net6 – Access-Gateway Standard and Advanced also did not count the ICA proxy only connections against any CCU count. The resolution for the NetScaler version of Access-Gateway (AGEE) was to create this license to make the ICA proxy only connection’s “free” in the sense that you do not have to pay for the CCUs with any kind of access license (it’s a compatibility thing to match the other products). This is why the license is separate from the platform license and the feature license. For the record, the NetScaler still does count these connections, the limit is just set to 10,000, assuming I guess that an individual NetScaler will not exceed that count (nor be needed), although I suspect it might be possible on larger platforms to better than 10,000 in which case the NS will throttle connections until it falls below 10,000.

There are four licenses that the customer may have

1. NetScaler Platform: Proper retail NetScaler (physical box) license (which is responsible for enabling all necessary features + 5 SSL VPN connections) is allocated by default to Hostname “ANY” in MyCitrix website and you cannot change this allocation. This is different from internal licenses (see 2).
2. NetScaler Features: The remainder of NetScaler licenses (Internal/Partner USE/DEMO/EVALUATION or VPX) need to be allocated to Host ID (MAC) of the appliance (articles CTX121062 page 11 and 16 and article CTX122426 page 9 and 22). The function (AGEE) is licensed/enabled by the MAC or HostID of the NetScaler. Two licenses are required for HA.
3. Access Gateway CCU license: To increase SSL VPN concurrent usage, CCUs, you must upload an AG Universal License. This license floats across HA pairs. This license needs to be allocated to the NetScaler Licensing Hostname, which is configured in /nsconfig/rc.conf file. This is NOT necessarily the same hostname as the created by ‘set ns hostname’ unless specifically made so by the customer. By default the hostname in /nsconfig/rc.conf is “ns”.
4. Access Gateway ICA license: To increase connections for ICA Connections you must upload an AG Platform License (to increase ICA connections up to 10000). This license floats across HA. This license needs to be allocated to the NetScaler Licensing Hostname, which is configured in /nsconfig/rc.conf file. This is NOT necessarily the same hostname as the created by ‘set ns hostname’ unless specifically made so by the customer. By default the hostname in /nsconfig/rc.conf is “ns”. Please reference article http://support.citrix.com/article/CTX125567.

   If you have an issue with hostname allocated for AG Platform License, you will see something like34 (CITRIX) Wrong hostid on SERVER line for license file: In /var/log/license.log.

Frequently asked questions

Q: Is it possible to know whether the unlimited access has already been included in the NETSCALER Platform license (like license of VPX-3000, MPX-7500, etc…)? Or, we (or our partners/customers) need to do

anything to retrieve that license?”
A: Unlimited remote ICA access is an entitlement of all Access Gateway or NetScaler appliance purchases (MPX or VPX). It is not included in the NetScaler Platform license. You need to retrieve the Access Gateway Platform license separately which enables the entitlement. This is in addition to the NetScaler Platform license. Both need to be present on the appliance.

Q: Do I need to install the AGEE platform license into a NetScaler?
A: Yes, you need to install the Access Gateway Platform license on NetScaler .

Q: If I set up the AGEE Vserver in BASIC MODE, there is no need for any AGEE license (platform or CCU) installed in that NetScaler?
A: If you create an AGEE vServer in Basic Mode without the Access Gateway Platform license, it will consume Access Gateway Universal Licenses. (Note: NS Standard and Enterprise come with 5 AGEE Universal CCUs per appliance and NS Platinum comes with 100 AGEE Universal CCUs per appliance.)

Q: Can I ignore the “show license” information, stating that “Maximum ICA User=0”?
A: You cannot ignore the ‘Show License’ information if it shows ‘Maximum ICA User=0’. If that is the case you have not applied an Access Gateway Platform license or the Access Gateway Platform license was not recognized by the system and any Access Gateway vServers will use AG Universal CCUs.

Q: If AGEE platform license is needed specifically in the NetScaler, is it the “CNS_AGEE_Server_Retail.lic”?
A: The confusion here may be because prior to AGEE / NS 8.1, there was an Access Gateway Platform license that enabled the base Access Gateway functionality on NetScaler. However, this older ‘Platform’ license is no longer required because all editions of NetScaler now ship with the base AG functionality already enabled. However, you need to apply the new Access Gateway Platform license if you plan to use ‘Basic’ (ICA Proxy / SG Mode-only) vServers. If you plan to use ‘SmartAccess’ (SSL VPN, SmartAccess, Clientless VPN, etc) vServers you need to apply an Access Gateway Universal CCU license.